Annoyed by cookie consent notices? There is a method behind it!

After GDPR came into effect on May 25th, website owners have deployed complex mechanisms, trying to get users to consent to being tracked on their sites. We take a look at the rushed, rough and rogue UX of services getting you to opt-in.

The General Data Protection Regulation (GDPR), which is expected to have an effect on how the data collected via online tracking is handled, has now been in force for nearly four weeks. One observable result of the GDPR is a rise in the use of Consent Management Platforms (CMPs) by websites. These services manage the cookie consent notices shown. Now that GDPR is in place, European users should be informed of all services collecting data on the site and be able to opt-out of certain practices and data collection. This means that these CMPs have become much more prominent, providing deeper controls, and propagating user consent to third-party services.

Using WhoTracks.me data we observe the rise of several CMPs appearing this month, as well as existing providers increasing their presence. With the WhoTracks.me data we can detect where they are present and then compare their approaches to asking for user consent, and we present a short survey of these here:

TrustArc (formally TRUSTe) have been providing cookie consent dialogs since the original ePrivacy regulation introduced the concept. The WhoTracks.me data shows that their reach has doubled in recent months as they have obviously gained customers using their services for GDPR compliance.

Their familiar consent popup now has improved opt-out capabilities. These are however hidden behind a ‘More Information’ link. This popup has not changed from the pre-GDPR options, so users may not realize that improved opt-out options are hidden behind this button. The styling of the button as a link also does not suggest that consent can be configured.

TrustArc: Consent popup

The ‘More Information’ button leads to a screen where consent can be specified for different cookie types. On the tested site (MyFitnessPal.com) this view had all types enabled by default.

TrustArc: Choosing consent settings

After submitting, we hit a processing dialog. In our testing this processing takes minutes to complete, and blocks access to the underlying page until it completes. This poor user-experience may reduce the number of users who will actually take the time to express consent settings. After waiting minutes once, they may subsequently simply agree to all, or just abandon sites who present this dialog.

TrustArc: Processing......

Another manifestation of the TrustArc CMP, found on Weather Underground provides a more detailed popup, including details of the third-parties in each category. This version, however, also suffers from a long processing time once consent has been expressed.

In response to the GDPR, the advertising business organization Interactive Advertising Bureau (IAB) proposed a framework for propagating user consent through ad-networks. The GDPR Transparency and Consent Framework aims to create a standardized expression of consent which can be passed around ad networks.

In this framework, CMPs are registered and a first party cookie specifies which CMP obtained the consent on this site, and which purposes and vendors are permitted. The CMP code and vendor list are served from a single domain, consensu.org, which means WhoTracks.me can measure that it is already in use on 0.5% of sites.

An example of this framework can be seen on SourceForge. In this case, Quantserve acts as the CMP to set the IAB consent cookie. Note this framework allows first-party and third-party consents to be specified separately for a standardized set of purposes.

Quantserve consent dialog, using the IAB framework

Unlike the TrustArc consent, opting out in this dialog is instant. Furthermore, in testing, all options were disabled by default, and a blanket opt out is also made easy.

A new service which appeared in the WhoTracks.me data this month is Cookiebot, which is already present on 0.3% of websites. They provide a very simple clean dialog to allow quick specification of consent.

One site using this service is Gitlab. We note here that all options are selected by default, and consent is assumed even if the user does not click ‘OK’.

Cookiebot dialog on gitlab.com

The ‘Show details’ button provides more detailed information about which providers and cookies fall under each category.

Lastly, OneTrust. This service does not appear among the top trackers this month, however we can still see its presence on some sites.

One feature of this CMP seems to be its configurability. We find multiple different levels of options available on different sites. Firstly, the cookie banner, shown on the bottom of the page, may provide configurability via a ‘More Information’ button. For example on CNN:

OneTrust banner on CNN

However, we also found examples where one can only accept, for example on express.de:

OneTrust banner on express.de

Secondly, the information dialog may or may not allow the user to opt-out. We can compare the dialogs on cnn.com and mailchimp.com. On MailChimp, all non-essential cookie categories offer an opt-out, while on CNN the interface only provides information about the category, with no options for the user except accept.

OneTrust Preference Center on cnn.com and mailchimp.com

Again, opt-out (when available) is instant.

Conclusion

Since GDPR came into force we have seen a marked increase in cookie consent, many of which block access to the page until consent is obtained. These CMPs aim to standardize the process, making it easier for users to quickly express their preferences. However, as we have seen in this article, the current main CMPs differ in their approach to the problem.

As many publishers main aim from deploying a CMP will be to achieve maximum opt-in, while remaining compliant with the law, there is a strong incentive for platforms to deceive users into consenting. Examples such as TrustArc show some dark patterns which nudge users to accepting all. Platforms which provide clear opt-outs, and leave options unticked by default may suffer for providing a better user experience.

The importance of consent for publishers who rely on advertising revenue, and their willingness to test users’ goodwill in order to obtain consent can be seen from this dialog, seen when visiting GHacks having opted out of data collection.

Dialog seen on ghacks.net asking for user to reconsider consent settings

Despite criticism of its method of communicating user consent, the openness of the IAB Framework is welcome, as it opens up the possibility for standardized browser interfaces for consent. This would take control of the consent UX out of the hands of site owners, who will be incentivized to ‘cheat’, and make it neutral and consistent.